File name:	240068633e980e781ef4a3903c423c87.exe
Full analysis:	https://app.any.run/tasks/8878b3ac-4488-4611-b6c5-1a070452b5b2
Verdict:	Malicious activity
Threats:	DCrat, also known as Dark Crystal RAT, is a remote access trojan (RAT), which was first introduced in 2018. It is a modular malware that can be customized to perform different tasks. For instance, it can steal passwords, crypto wallet information, hijack Telegram and Steam accounts, and more. Attackers may use a variety of methods to distribute DCrat, but phishing email campaigns are the most common. Remote access trojans (RATs) are a type of malware that enables attackers to establish complete to partial control over infected computers. Such malicious programs often have a modular design, offering a wide range of functionalities for conducting illicit activities on compromised systems. Some of the most common features of RATs include access to the users’ data, webcam, and keystrokes. This malware is often distributed through phishing emails and links. Malware Trends Tracker >>>
Analysis date:	May 18, 2025, 00:14:47
OS:	Windows 10 Professional (build: 19044, 64 bit)
Tags:	dcrat rat
Indicators:
MIME:	application/vnd.microsoft.portable-executable
File info:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows, 3 sections
MD5:	240068633E980E781EF4A3903C423C87
SHA1:	A7474B6716E1DA4F69BAE306A867AFBA5ED2ABB2
SHA256:	C43C36331895BE9C8DBC41B1993144C13953B10399423B013587BD7C5AFE4279
SSDEEP:	49152:jwU+cgQSXJXMnxfa5hQxpgPup6jxv37Ek+hB/vnQEnKuDpxCBioTb/UtvVmtRwul:MUcbWGT3h2vQErvCBioTbcv8tRwQPdue

.exe	\|	Generic CIL Executable (.NET, Mono, etc.) (56.7)
.exe	\|	Win64 Executable (generic) (21.3)
.scr	\|	Windows screen saver (10.1)
.dll	\|	Win32 Dynamic Link Library (generic) (5)
.exe	\|	Win32 Executable (generic) (3.4)

MachineType:	Intel 386 or later, and compatibles
TimeStamp:	2025:01:29 15:01:49+00:00
ImageFileCharacteristics:	Executable, No line numbers, No symbols, 32-bit
PEType:	PE32
LinkerVersion:	11
CodeSize:	1879040
InitializedDataSize:	1536
UninitializedDataSize:	-
EntryPoint:	0x1ccb1e
OSVersion:	4
ImageVersion:	-
SubsystemVersion:	4
Subsystem:	Windows GUI
FileVersionNumber:	1.2.7.1277
ProductVersionNumber:	1.2.7.1277
FileFlagsMask:	0x003f
FileFlags:	(none)
FileOS:	Win32
ObjectFileType:	Executable application
FileSubtype:	-
LanguageCode:	Neutral
CharacterSet:	Unicode
CompanyName:	-
FileDescription:	-
FileVersion:	1.2.7.1277
InternalName:	SpotifyStartupTask
LegalCopyright:	Copyright (c) 2023, Spotify Ltd
OriginalFileName:	SpotifyStartupTask.exe
ProductName:	-
ProductVersion:	1.2.7.1277


(PID) Process:	(7704) 240068633e980e781ef4a3903c423c87.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\51cb466e8ba95a2a05bb21edbd5900d9fb505627
Operation:	write	Name:	0b272ec27eb43f7ec1bb6e9c0dd18f3cc60c4fb6
Value: H4sIAAAAAAAEAIXPsQ6CMBAG4FcxzsYgJYhuBAcHTQxqHDyH0h7QUFvSK+rji8aFaOJ0N3z/f7nzOFsCnJSR9k4AOVaKvONeWQOQ5duNrQAKLprK2c7IA6dmbclP8YHjyTDbx4QyPS+t8dLd6qE7ErpepVqPPqsmTvQtdl2hlQDYdvQae+RO1Gnb/pVS6983ubyq/p0VUuNtCxBGQRAnMWO4SAKcJzMsI84WARNRyEQyfzdcnn9DYskbAQAA

PID	Process	Filename		Type
7704	240068633e980e781ef4a3903c423c87.exe	C:\Users\admin\Desktop\3aaa49f49d88a6		text
		MD5:FEC8AAB53C54B2944855AE1E4A2733B1	SHA256:99D3DFB04662268CDF42C7BBAF86E1D3FD0C1C15EA3490F974A222F4B61C74C4
7704	240068633e980e781ef4a3903c423c87.exe	C:\Windows\tracing\fontdrvhost.exe		executable
		MD5:240068633E980E781EF4A3903C423C87	SHA256:C43C36331895BE9C8DBC41B1993144C13953B10399423B013587BD7C5AFE4279
7704	240068633e980e781ef4a3903c423c87.exe	C:\ProgramData\lsass.exe		executable
		MD5:240068633E980E781EF4A3903C423C87	SHA256:C43C36331895BE9C8DBC41B1993144C13953B10399423B013587BD7C5AFE4279
7704	240068633e980e781ef4a3903c423c87.exe	C:\Users\admin\Desktop\tcYGXvCD.log		executable
		MD5:E9CE850DB4350471A62CC24ACB83E859	SHA256:7C95D3B38114E7E4126CB63AADAF80085ED5461AB0868D2365DD6A18C946EA3A
7704	240068633e980e781ef4a3903c423c87.exe	C:\Users\Public\Music\38384e6a620884		text
		MD5:273D5242C730A25C208DFF9BF53776CF	SHA256:C29C655A2A557EA1ADC2AC1E0A987F62A619A7668C14F595BB84B18B66B1C4DB
7704	240068633e980e781ef4a3903c423c87.exe	C:\Users\admin\Desktop\lyPQnBnV.log		executable
		MD5:F4B38D0F95B7E844DD288B441EBC9AAF	SHA256:AAB95596475CA74CEDE5BA50F642D92FA029F6F74F6FAEAE82A9A07285A5FB97
7704	240068633e980e781ef4a3903c423c87.exe	C:\Users\Public\Music\SearchApp.exe		executable
		MD5:240068633E980E781EF4A3903C423C87	SHA256:C43C36331895BE9C8DBC41B1993144C13953B10399423B013587BD7C5AFE4279
7704	240068633e980e781ef4a3903c423c87.exe	C:\Windows\tracing\5b884080fd4f94		text
		MD5:86866409E5C70B241A6533F67A564B11	SHA256:6A17A9FA3AAA934E66DD38E9158B5A43EC4E036CEC38ABACBC15CC95D388D41F
7704	240068633e980e781ef4a3903c423c87.exe	C:\Windows\Registration\CRMLog\backgroundTaskHost.exe		executable
		MD5:240068633E980E781EF4A3903C423C87	SHA256:C43C36331895BE9C8DBC41B1993144C13953B10399423B013587BD7C5AFE4279
7704	240068633e980e781ef4a3903c423c87.exe	C:\Users\admin\AppData\Local\Temp\MceTdaMnXx		text
		MD5:10DFAA03F6E110399D99E505750C031F	SHA256:26A57F1AECF98D9587B040F343880464F5BBF65D33883466D4C1AC1142877DAA

PID	Process	Method	HTTP Code	IP	URL	CN	Type	Size	Reputation
8068	SIHClient.exe	GET	200	23.216.77.20:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl	unknown	—	—	whitelisted
8068	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl	unknown	—	—	whitelisted
8068	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
8068	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
8068	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl	unknown	—	—	whitelisted
8068	SIHClient.exe	GET	200	184.30.21.171:80	http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl	unknown	—	—	whitelisted
8068	SIHClient.exe	GET	200	23.216.77.20:80	http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl	unknown	—	—	whitelisted
8068	SIHClient.exe	GET	200	23.216.77.20:80	http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl	unknown	—	—	whitelisted

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	51.124.78.146:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
3216	svchost.exe	172.211.123.249:443	client.wns.windows.com	MICROSOFT-CORP-MSN-AS-BLOCK	FR	whitelisted
8068	SIHClient.exe	4.245.163.56:443	slscr.update.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
8068	SIHClient.exe	23.216.77.20:80	crl.microsoft.com	Akamai International B.V.	DE	whitelisted
8068	SIHClient.exe	184.30.21.171:80	www.microsoft.com	AKAMAI-AS	DE	whitelisted
8068	SIHClient.exe	52.165.164.15:443	fe3cr.delivery.mp.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
7412	slui.exe	40.91.76.224:443	activation-v2.sls.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
6544	svchost.exe	20.190.160.5:443	login.live.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted

Domain	IP	Reputation
settings-win.data.microsoft.com	51.124.78.146	whitelisted
google.com	172.217.18.14	whitelisted
client.wns.windows.com	172.211.123.249	whitelisted
slscr.update.microsoft.com	4.245.163.56	whitelisted
crl.microsoft.com	23.216.77.20 23.216.77.6 23.216.77.42	whitelisted
www.microsoft.com	184.30.21.171	whitelisted
fe3cr.delivery.mp.microsoft.com	52.165.164.15	whitelisted
activation-v2.sls.microsoft.com	40.91.76.224	whitelisted
nexusrules.officeapps.live.com	52.111.243.31	whitelisted
login.live.com	20.190.160.5 20.190.160.3 20.190.160.128 20.190.160.22 20.190.160.4 20.190.160.17 20.190.160.14 20.190.160.130	whitelisted

General Info

240068633e980e781ef4a3903c423c87.exe

240068633E980E781EF4A3903C423C87

A7474B6716E1DA4F69BAE306A867AFBA5ED2ABB2

C43C36331895BE9C8DBC41B1993144C13953B10399423B013587BD7C5AFE4279

49152:jwU+cgQSXJXMnxfa5hQxpgPup6jxv37Ek+hB/vnQEnKuDpxCBioTb/UtvVmtRwul:MUcbWGT3h2vQErvCBioTbcv8tRwQPdue

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

DCRAT mutex has been found

SUSPICIOUS

The process creates files with name similar to system file names

Executable content was dropped or overwritten

Reads security settings of Internet Explorer

Reads the date of Windows installation

Executing commands from a ".bat" file

Starts CMD.EXE for commands execution

Starts application with an unusual extension

Runs PING.EXE to delay simulation

INFO

Checks supported languages

Creates files in the program directory

Reads the computer name

Reads Environment values

Create files in a temporary directory

Failed to create an executable file in Windows directory

Process checks computer location settings

Reads the machine GUID from the registry

Changes the display of characters in the console

Checks proxy server information

Reads the software policy settings

Malware configuration

Static information

TRiD

EXIF

EXE

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings